Two persons holding payment device and mobile phone showing how company can devalue their customers’ payment data to avoid CCPA penalties and litigation

Worried About CCPA? Devalue Your Company’s Payments Data

In February 2020, Salesforce got its first taste of CCPA enforcement. Customers of children’s clothing retailer Hanna Anderson sued both the tech giant and the retailer for failing to prevent the compromise of customer credit card numbers and other personally identifiable information (PII) during a data breach discovered January 15.

The Salesforce case won’t be the end of CCPA-related litigation on data breaches. The California law, which went into effect January 1, imposes tough penalties on companies that fail to implement “reasonable security measures and practices” to protect “nonencrypted and nonredacted” PII. It also gives affected customers a right to civil action against those companies.

Unfortunately, the law isn’t very specific about defining those “reasonable security measures and practices.” But there’s one thing all companies can do that will enormously reduce their risk of CCPA-related penalties and litigation: They can devalue their data by using techniques that make it incredibly difficult for hackers to exploit.

Building stronger cyber defenses will not be enough

News reports tend to apply the terms “data breach,” “data theft” and “data compromise” interchangeably, but they’re not the same thing. A breach occurs any time a hacker gains unauthorized access to data, whether they steal it or not. Data theft occurs when a hacker extracts data from a company’s systems. But whether hackers are able to compromise data they’ve stolen by selling it, exposing it or otherwise exploiting it is another story.

Many cybersecurity efforts aim to prevent data breaches and data theft. For example, many companies implement two-factor authentication to strengthen password protection or train staff to spot phishing emails and other social engineering attacks. However, while efforts like these are important, strengthening the digital “walls” protecting sensitive data won’t be enough on its own. Every wall has its gaps, and it’s only a matter of time before a hacker finds yours and breaks through.

That’s why devaluing data is so important. While breaches can still happen, data compromise is not inevitable. By making your data useless to hackers, you can ensure your customers’ privacy is protected even in case of a breach.

How to devalue your data

There are two main strategies for devaluing data, and the data use case usually determines which strategy a company should deploy.

  • Tokenization encodes each piece of PII with a pseudonym — usually a random string of numbers — that will be stored on the company’s servers instead of the PII itself. This “token” can be linked back to the PII only via information stored in an outside, secure location. Tokenization is most appropriate for PII that will be stored for the long term, such as credit cards on file in a retailer’s loyalty program.
  • Encryption renders data unintelligible to anyone who doesn’t possess an associated digital key. Encryption protects PII while a transaction is in progress or while data is otherwise in transit.

While most businesses encrypt their data to some degree, for CCPA compliance it’s important that companies use an encryption standard certified by an industry association or other authority. It’s likely that California’s enforcement of CCPA will follow the pattern set by the European Union’s GDPR enforcement. After a data breach, judges will likely decide whether a company’s security measures were “reasonable” based on whether those measures followed best practices within the company’s industry. Using certified encryption is your safest bet.

Payments data is most vulnerable

CSOs and other C-suite leaders tend to look at the big picture when it comes to protecting data. They want to secure all types of PII at once, from social security numbers to medical records. However, if you’re starting from zero (or close to it), there’s one type of PII you should prioritize protecting first: payments data.

Payments data is the easiest type of PII to monetize, since hackers can sell credit and debit card numbers to fraudsters. That makes payments data an important target for cyberattacks. By examining your payments data pipeline closely, you can spot vulnerabilities that might expose unencrypted PII to hackers.

For example, at many companies point of sales (POS) devices are a primary source of vulnerability. Most organizations encrypt payments data once it’s in their systems, but that leaves data exposed at the moment it’s collected by a card reader or other hardware device. Hackers already exploit this loophole: For example, in 2019 malware was found in POS devices at more than 850 WaWa convenience stores in the U.S. The malware had gone undetected for eight months, compromising an unknown number of credit and debit cards.

Devaluing data helps CCPA compliance

In the fight to protect PII, strengthening passwords and bolstering cyber defenses will only go so far. Companies should operate under the assumption that they will eventually suffer a data breach, no matter what precautions they take.

Payment data should be prioritized for data devaluing as it’s the easiest PII for #hackers to monetize. #dataprotection #respectdataClick to Tweet

Therefore, organizations must ensure that when a breach does happen, hackers can’t use the data that falls into their hands. Companies must use tokenization and encryption to devalue all collected PII, including PCI-validated point-to-point encryption (P2PE) at the POS, which is the gold standard in payments security endorsed by the PCI SSC. It’s the only way to avoid penalties and lawsuits under CCPA — and serve your customers well by protecting their data.